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DETAILED ACTION 

Specification 

1 . The disclosure is objected to because of the following informalities: omitted 
application number (page 1 , line 6). 

Appropriate correction is required. 

Allowable Subject Matter 

2. Claims 28-29 and 31 are allowed. 

3. In regards to claims 28 and 31 the prior art of record does not disclose or 
suggest a first grid of cells having each cell associated with a security event category 
and a temporal value, wherein said first grid of cells is connected to a second grid of 
cells via association lines. 

4. Claims 13-20 and 22-27 are objected to as being dependent upon a rejected 
base claim, but would be allowable if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. 

5. In regards to claim 13 the prior art of record does not disclose or suggest a first 
graph having both a temporal axis and security category axis, wherein said first graph is 
connected to a second graph via association lines. 

6. In regards to claim 22 the prior art of record does not disclose or suggest a first 
grid of cells having each cell associated with a security event category and a temporal 
value, wherein said first grid of cells is connected to a second grid of cells via 
association lines. 

Claim Rejections - 35 USC §112 
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7. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

8. Claim 10 rejected under 35 U.S.C. 112, second paragraph, as being indefinite for 
failing to particularly point out and distinctly claim the subject matter which applicant 
regards as the invention. 

9. In regards to claim 10 it is unclear as to whether all or only one of the listed event 
types must be selected. Therefore, the claim limitation is considered to read with later 
of the two possibilities. 

Claim Rejections - 35 USC § 103 

10. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

11. Claims 1-12, 21 and 30 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the SilentRunner Discovery Visualization Analysis Training Manual 
(herein referred to as STM), in view of Maloney et al. (U.S. Patent No. 6, 304, 262 B1). 

12. In regards to claim 1 the STM teaches that SilentRunner DVA system has the 
ability to produce a variety of 2D and 3D views to enhance the understanding of 
complex networks (section 3-1, section 3-2 and section 3-3, Fig. 3.2). The Collector 
LAN Engine (also referred to as CLE or Collector) monitors Ethernet LAN traffic and 
gathers data regarding a network, its structure, its method of operation, an its users. 
The CLE decodes the raw packet data and organizes it into a knowledgebase 
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(database) of information (section 3-3, U 3-5). A packet log file maintained by the CLE 
(considered part of said knowledgebase) contains information about each packet 
captured, including date and time, source and destination IP address (network element), 
source and destination MAC address, protocol used (security event), and port numbers 
(section 4-3, U 4). 

The Link Notebook application allows for the creation of "link charts" or diagrams 
from data collected by the CLE (section 8-3, U 1). The figure entitled "Link Study by 
Protocol Count" visually depicts categories of select protocols (security events) in a first 
section of display space (elements B) as well as visually depicts IP addresses (network 
elements) in a second section of said display space (elements A). Association lines 
(elements C), indicated by lines where one end terminates in an arrow, are displayed 
between groupings of a select numbers of protocols and IP addresses (section 8-24 and 
section 8-12, Fig. 8.9). 

STM fails to explicitly teach simulating 3D space on a 2D display device. 
Maloney et al. teaches a software system which enables computer code analysis and 
the 3D visualization and animation of network traffic and structure (see column 2, lines 
1-11). The 3D display 24 adds a third dimension to any of the data collect by the 
discovery tool 12 to view, animate, and analyze complex nodal diagrams in 3D space. 

It would have been obvious to one skilled in the art, at the time of the applicant's 
invention, to add a third dimension to the display of data, presented in two dimensions, 
because the addition of a third vector would permit for the simultaneous viewing of large 
complex diagrams on interconnected planes as well as allow for the rotation of the 
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diagrams on any axis thereby viewing relationships that would otherwise become 
obscured when viewed on 2D planes (column 11, lines 26-38, and Fig. 1). 

13. In regards to claim 2 the rationale disclosed in claim 1 is incorporated herein. 
STM teaches the various components for the diagramming tool (section 8-3, U 6). 
Elements A (sections 8-12 and 8-24) are considered to represent host computer 
systems. It is noted that a network element (i.e. IP address) is used to identify a system 
to which it corresponds, such as host computer system, and therefor is considered one 
in the same. 

14. In regards to claim 3 the rationale disclosed in claim 1 is incorporated herein. 
Said categories are represented by elements B (first graphical objects) and said 
network elements are represented by elements A (second graphical objects). 

15. In regards to claim 4 said second graphical object is considered an image of a 
host computer system (section 8-12, Fig. 8.9, and section 8-24). 

16. In regards to claim 5 STM teaches varying screen positions of geometrical 
objects, representative of network elements (section 8-12, Fig. 8.9, and section 8-24). 

17. In regards to claim 6 STM teaches the use of text (i.e. an alpha-numeric IP 
address) describing a geometric object (section 8-12, Fig. 8.9, and section 8-24). 

18. In regards to claim 7 said "link chat" or diagram is considered a graph. STM 
teaches varying screen positions of first graphical object (section 8-12, Fig. 8.9, and 
section 8-24). 

19. In regards to claim 8 STM teaches the use of text with elements B (section 8-12, 
Fig. 8.9, and section 8-24). 
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20. In regards to claim 9 STM teaches a plurality of visual depictions of associations 
(trusted relationships) between host computer systems which are achieved through the 
use of said association lines. It is noted that the connection of a plurality of host 
computer systems, utilizing any number of protocols, is considered to involve the mutual 
accessing of data by said plurality of host computer systems. 

21. In regards to claim 10 it is noted that network protocols (i.e. HTTP, HTTPS, 
POP3, etc.) are considered forms of network access. 

22. In regards to claim 1 1 STM teaches that a packet log file (considered part of said 
knowledgebase) maintained by the CLE contains information about each packet 
captured, including date and time, source and destination IP address, source and 
destination MAC address, protocol used, and port numbers (section 4-3, U 4). It is 
noted that said stored IP address (source/destination) information and port number 
information are considered first and second properties, respectively, of a given network 
element. 

23. In regards to claim 12 the rationale disclosed in the rejection of claim 4 is 
incorporated herein. 

24. In regards to claim 21 the rationale disclosed in the rejection of claim 1 is 
incorporated herein. 

25. In regards to claim 30 the rationale disclosed in the rejection of claim 1 is 
incorporated herein. It is noted that said SilentRunner DVA system is considered to be 
implement via computer software (section 3-1 and section 3-2). 

Conclusion 
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The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: Schwuttke et al. (U.S. Patent Number 6, 222, 547 B1). 
Schwuttke et al. teaches that both static and dynamic information, gathered from 
monitored systems, is displayed in 3D cybersapce representations definining a virtual 
universe having three dimensions. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter-Anthony Pappas whose telephone number is 703- 
305-8984. The examiner can normally be reached on M-F 9:30am-7pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Mark Zimmerman can be reached on 703-305-9798. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 


Peter-Anthony Pappas 

Examiner 

Art Unit 2671 
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